diff --git a/.woke.yaml b/.woke.yaml index c23dee5fc83..53dd50b363d 100644 --- a/.woke.yaml +++ b/.woke.yaml @@ -13,3 +13,4 @@ ignore_files: - packaging/fedora/snapd.spec - packaging/ubuntu-14.04/changelog - packaging/ubuntu-16.04/changelog + - tests/lib/snaps/store/test-snapd-ovmf/snapcraft.yaml diff --git a/spread.yaml b/spread.yaml index 27e325fc0a0..383852f9737 100644 --- a/spread.yaml +++ b/spread.yaml @@ -109,7 +109,6 @@ environment: NESTED_REPACK_KERNEL_SNAP: '$(HOST: echo "${NESTED_REPACK_KERNEL_SNAP:-true}")' NESTED_REPACK_GADGET_SNAP: '$(HOST: echo "${NESTED_REPACK_GADGET_SNAP:-true}")' NESTED_REPACK_BASE_SNAP: '$(HOST: echo "${NESTED_REPACK_BASE_SNAP:-true}")' - NESTED_FORCE_MS_KEYS: '$(HOST: echo "${NESTED_FORCE_MS_KEYS:-false}")' NESTED_KERNEL_MODULES_COMP: '$(HOST: echo "${NESTED_KERNEL_MODULES_COMP:-}")' # Whether we should use snapd snap ./built-snap/ directory diff --git a/tests/lib/nested.sh b/tests/lib/nested.sh index 5e7375c6b79..973f56f319f 100755 --- a/tests/lib/nested.sh +++ b/tests/lib/nested.sh @@ -66,6 +66,7 @@ nested_wait_vm_ready() { # Check the vm is active if ! systemctl is-active "$NESTED_VM"; then echo "Unit $NESTED_VM is not active. Aborting!" + journalctl -u "${NESTED_VM}" return 1 fi @@ -399,12 +400,11 @@ nested_refresh_to_new_core() { } nested_get_snakeoil_key() { - local KEYNAME="PkKek-1-snakeoil" - local VERSION - VERSION="$(nested_get_version)" - wget -q https://raw.githubusercontent.com/snapcore/pc-amd64-gadget/"$VERSION"/snakeoil/"$KEYNAME".key - wget -q https://raw.githubusercontent.com/snapcore/pc-amd64-gadget/"$VERSION"/snakeoil/"$KEYNAME".pem - echo "$KEYNAME" + nested_ensure_ovmf >/dev/null + + cp "${NESTED_ASSETS_DIR}/ovmf/secboot/DB.key" DB.key + cp "${NESTED_ASSETS_DIR}/ovmf/secboot/DB.crt" DB.pem + echo DB } nested_secboot_remove_signature() { @@ -1160,6 +1160,16 @@ nested_force_stop_vm() { systemctl stop "$NESTED_VM" } +nested_ensure_ovmf() { + if [ -d "${NESTED_ASSETS_DIR}/ovmf" ]; then + return + fi + if ! [ -f "${NESTED_ASSETS_DIR}/test-snapd-ovmf.snap" ]; then + snap download --channel=latest/edge test-snapd-ovmf --basename=test-snapd-ovmf --target-directory="${NESTED_ASSETS_DIR}" + fi + unsquashfs -d "${NESTED_ASSETS_DIR}/ovmf" "${NESTED_ASSETS_DIR}/test-snapd-ovmf.snap" +} + nested_force_start_vm() { # if the $NESTED_VM is using a swtpm, we need to wait until the file exists # because the file disappears temporarily after qemu exits @@ -1274,43 +1284,27 @@ nested_start_core_vm_unit() { PARAM_ASSERTIONS="-drive if=none,id=stick,format=raw,file=$NESTED_ASSETS_DIR/assertions.disk,cache=none,format=raw -device nec-usb-xhci,id=xhci -device usb-storage,bus=xhci.0,removable=true,drive=stick" fi if nested_is_core_ge 20; then - # use a bundle EFI bios by default - local OVMF_CODE OVMF_VARS - OVMF_CODE="" - OVMF_VARS="" - - if nested_is_core_ge 22; then - wget -q https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_CODE.secboot.fd - mv OVMF_CODE.secboot.fd /usr/share/OVMF/OVMF_CODE.secboot.fd - wget -q https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_VARS.snakeoil.fd - mv OVMF_VARS.snakeoil.fd /usr/share/OVMF/OVMF_VARS.snakeoil.fd - wget -q https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_VARS.ms.fd - mv OVMF_VARS.ms.fd /usr/share/OVMF/OVMF_VARS.ms.fd - OVMF_CODE="_4M" - OVMF_VARS="_4M" - fi - - if nested_is_secure_boot_enabled; then - OVMF_CODE=".secboot" - if [ "$NESTED_FORCE_MS_KEYS" != "true" ] && { [ "$NESTED_BUILD_SNAPD_FROM_CURRENT" = "true" ] || [ "${NESTED_FORCE_SNAKEOIL_KEYS:-false}" = "true" ] ; }; then - OVMF_VARS=".snakeoil" - else - OVMF_VARS=".ms" - fi - fi - + nested_ensure_ovmf + local OVMF_CODE OVMF_VARS OVMF_VARS_SECBOOT OVMF_VARS_CURRENT OVMF if os.query is-arm; then - if [ -z "${NESTED_KEEP_FIRMWARE_STATE-}" ] || ! [ -e "$NESTED_ASSETS_DIR/AAVMF_VARS.fd" ]; then - cp -f "/usr/share/AAVMF/AAVMF_VARS.fd" "$NESTED_ASSETS_DIR/AAVMF_VARS.fd" - fi - PARAM_BIOS="-drive file=/usr/share/AAVMF/AAVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on -drive file=$NESTED_ASSETS_DIR/AAVMF_VARS.fd,if=pflash,format=raw" + OVMF=QEMU else - if [ -z "${NESTED_KEEP_FIRMWARE_STATE-}" ] || ! [ -e "$NESTED_ASSETS_DIR/OVMF_VARS${OVMF_VARS}.fd" ]; then - cp -f "/usr/share/OVMF/OVMF_VARS${OVMF_VARS}.fd" "$NESTED_ASSETS_DIR/OVMF_VARS${OVMF_VARS}.fd" + OVMF=OVMF + fi + OVMF_CODE="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_CODE.fd" + OVMF_VARS="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_VARS.fd" + OVMF_VARS_SECBOOT="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_VARS.enrolled.fd" + OVMF_VARS_CURRENT="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_VARS.current.fd" + + if [ -z "${NESTED_KEEP_FIRMWARE_STATE-}" ] || ! [ -e "${OVMF_VARS_CURRENT}" ]; then + if nested_is_secure_boot_enabled; then + cp -fv "${OVMF_VARS_SECBOOT}" "${OVMF_VARS_CURRENT}" + else + cp -fv "${OVMF_VARS}" "${OVMF_VARS_CURRENT}" fi - PARAM_BIOS="-drive file=/usr/share/OVMF/OVMF_CODE${OVMF_CODE}.fd,if=pflash,format=raw,unit=0,readonly=on -drive file=$NESTED_ASSETS_DIR/OVMF_VARS${OVMF_VARS}.fd,if=pflash,format=raw" - PARAM_MACHINE="-machine q35${ATTR_KVM} -global ICH9-LPC.disable_s3=1" fi + PARAM_BIOS="-drive file=${OVMF_CODE},if=pflash,format=raw,readonly=on -drive file=${OVMF_VARS_CURRENT},if=pflash,format=raw" + PARAM_MACHINE="-machine q35${ATTR_KVM}" if nested_is_tpm_enabled; then if snap list test-snapd-swtpm >/dev/null; then diff --git a/tests/lib/snaps/store/test-snapd-ovmf/efitools-ms-kek.patch b/tests/lib/snaps/store/test-snapd-ovmf/efitools-ms-kek.patch new file mode 100644 index 00000000000..1a4a86bd312 --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/efitools-ms-kek.patch @@ -0,0 +1,13 @@ +diff --git a/Make.rules b/Make.rules +index 903a5a4..5328063 100644 +--- a/Make.rules ++++ b/Make.rules +@@ -81,7 +81,7 @@ endif + ./cert-to-efi-sig-list -g $(MYGUID) $< $@ + + getcert = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo "-c PK.crt -k PK.key"; else echo "-c KEK.crt -k KEK.key"; fi) +-getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else echo db; fi) ++getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); elif [ "$(1)" = ms-kek ]; then echo KEK; else echo db; fi) + + %.auth: %.esl PK.crt KEK.crt sign-efi-sig-list + ./sign-efi-sig-list $(call getcert,$*) $(call getvar,$*) $< $@ diff --git a/tests/lib/snaps/store/test-snapd-ovmf/efitools-updatevars-temporary-constants.patch b/tests/lib/snaps/store/test-snapd-ovmf/efitools-updatevars-temporary-constants.patch new file mode 100644 index 00000000000..9280dfa8d66 --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/efitools-updatevars-temporary-constants.patch @@ -0,0 +1,28 @@ +diff --git a/UpdateVars.c b/UpdateVars.c +index 2d21563..00027cb 100644 +--- a/UpdateVars.c ++++ b/UpdateVars.c +@@ -28,15 +28,19 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) + EFI_GUID *owner; + CHAR16 **variables; + EFI_GUID **owners; ++ CHAR16 *variables_dbt[] = { L"PK", L"KEK", L"db", L"dbx", L"dbt", L"MokList" , NULL}; ++ EFI_GUID *owners_dbt[] = { &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &SIG_DB, &MOK_OWNER }; ++ CHAR16 *variables_nodbt[] = { L"PK", L"KEK", L"db", L"dbx", L"MokList" , NULL}; ++ EFI_GUID *owners_nodbt[] = { &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &MOK_OWNER }; + + InitializeLib(image, systab); + + if (GetOSIndications() & EFI_OS_INDICATIONS_TIMESTAMP_REVOCATION) { +- variables = (CHAR16 *[]){ L"PK", L"KEK", L"db", L"dbx", L"dbt", L"MokList" , NULL}; +- owners = (EFI_GUID *[]){ &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &SIG_DB, &MOK_OWNER }; ++ variables = variables_dbt; ++ owners = owners_dbt; + } else { +- variables = (CHAR16 *[]){ L"PK", L"KEK", L"db", L"dbx", L"MokList" , NULL}; +- owners = (EFI_GUID *[]){ &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &MOK_OWNER }; ++ variables = variables_nodbt; ++ owners = owners_nodbt; + } + + status = argsplit(image, &argc, &ARGV); diff --git a/tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/repart.d/01-efi.conf b/tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/repart.d/01-efi.conf new file mode 100644 index 00000000000..77206d60bbd --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/repart.d/01-efi.conf @@ -0,0 +1,3 @@ +[Partition] +Type=esp +CopyFiles=/efi:/ diff --git a/tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/root/efi/startup.nsh b/tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/root/efi/startup.nsh new file mode 100644 index 00000000000..72d533dbda0 --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/root/efi/startup.nsh @@ -0,0 +1,8 @@ +LockDown.efi +UpdateVars.efi -a db snakeoil-update.auth +UpdateVars.efi -a db kernel-edge-20-22-update.auth +UpdateVars.efi -a db kernel-edge-24-update.auth +UpdateVars.efi -a KEK ms-kek-pkupdate.auth +UpdateVars.efi -a db ms-uefi-update.auth +UpdateVars.efi dbx initial-dbx.auth +reset -s diff --git a/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/PkKek-1-snakeoil.pem b/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/PkKek-1-snakeoil.pem new file mode 100644 index 00000000000..73936f78bd4 --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/PkKek-1-snakeoil.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAfGgAwIBAgIUSbJC1oRCJUbGkwfWHscBeZrRHZcwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UECgwJU25ha2UgT2lsMB4XDTE5MTEwMTIyMDI1NVoXDTE5MTIw +MTIyMDI1NVowFDESMBAGA1UECgwJU25ha2UgT2lsMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAzUDpJwDzDpLo2ytVRSgt/QWRYk/Yjae5fbujitq73XYL +uDZ+/Wf5U6zpOfyfzX/l5R0KCV9XYUJF47QEmNCnoWpg3cRdRry+3FIYtdnNK151 +AZ2L74OI4sMX1akSE+MfZFgdPFcm+n0uJgQuvRYGyYaR6N1wbhJ/2iOOba+sbKyc +aKiL1fSjip2criHA/05cYSomdUT+rTUZALFdCQuOU+gX8Rqhmfbo8VEE7MpE3nrv +HocQAFphyYgG8jadjggymE7sQEZGrBqOrwMDHitbpoGNlOI2VdFgL5jRKHuB61iC +kqTmSWuS4lbOEJmms6hhQnTnu/yK7O3NEWegAPMrtQIDAQABo1MwUTAdBgNVHQ4E +FgQUFD7OXb2T6sOysRo3hj2f15SX8I8wHwYDVR0jBBgwFoAUFD7OXb2T6sOysRo3 +hj2f15SX8I8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANZRB +NFVUVZVehpj3QGbbSjp77m0V6JrEYn6u/XjLRFsUNw5Hh35UCR0HkKZ0cLgrVKb/ +8yL6LaYLOY6yDwEFWMtLXiF2S4noO8raEgW6A7DHawb2Y4ZNFRO4oBkyWbtd36Uu +UfSszs2av048wb5J/pNedRSx8I/FiCNWummzpkBHzx023TdLPd8fmkmG7ZBpStN0 +Y//EE4DKTfHxAwt5w7WdZF5EY/KHPopnR+WSrdutRIK6zT+/+vKihtHYZbrv+7Ap +K7xOM/zJ6E9vUROmuOhL3YL3MuLn5qHEvhM0eMxEAlCnSJlFkQE4/RXhDpZJYbR7 +x+PQllgoo4H6W30Dew== +-----END CERTIFICATE----- diff --git a/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-20-22.crt b/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-20-22.crt new file mode 100644 index 00000000000..3c970288e83 --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-20-22.crt @@ -0,0 +1,23 @@ +subject=CN=PPA canonical-kernel-team uc20-build UEFI +issuer=CN=PPA canonical-kernel-team uc20-build UEFI +-----BEGIN CERTIFICATE----- +MIIDOzCCAiOgAwIBAgIJANAnelPzxGcFMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV +BAMMKVBQQSBjYW5vbmljYWwta2VybmVsLXRlYW0gdWMyMC1idWlsZCBVRUZJMB4X +DTIwMDUxMTE3MjEwNFoXDTMwMDUwOTE3MjEwNFowNDEyMDAGA1UEAwwpUFBBIGNh +bm9uaWNhbC1rZXJuZWwtdGVhbSB1YzIwLWJ1aWxkIFVFRkkwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDD4P2NFFV1/RP3OzllI+su2KSOmN0AcFXQ6SbD +b152f9WjfqbfAg2OB7WB6l2LBQVT8ak3fzRl/cEvCju8FtB1mNgU+oFKNZbVivf0 +L0zd+wAwiP8o7l4L13ssyeh0/4iaQ5Dqocjrptl+fRu86N3wOyZ/CW9NGj9a0zWP +TZ5ts7PE1XL1YqpqMp7tUUgrjlcatiStQ5iju5ETg3P8+KpXjxvVRXPjBm6GMmKM +PuJN82MS2J0EaTBOX7N7prExM9MYnfIG+bkWXU4HVEh6eAwpF1wFE9ugzRm6mrAg +5+XB5iF7RL3b9SBhU/gXvj5BgYuzJSCNvEnwgTE8KGlbvS+dAgMBAAGjUDBOMB0G +A1UdDgQWBBQx0U3/bz0E2+nXXIgcA7MohFmVHjAfBgNVHSMEGDAWgBQx0U3/bz0E +2+nXXIgcA7MohFmVHjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCU +IqwVmXP/Rg3uta5WKLC3JKNgC8yHXN3m8JRubSBrX/Fi1YI5xqXf+WHs7Ga/KP9n +xIoUOYZUl3jpJlxxjLZABTkrA4NOPUGAs9v9iur4ox0JqvXjqhN/BCFGQd6yAfFE +AsbXppgp32vQvMHmyfUbMnhtLjU4DS90q/G5miIdZx6vm/4VyYRiK7ds9zThMK+q +LM3c+LaoB47GTzcyKOdjuWVumq/h4YVMoYIyiltmK9fY0yRwRP+GR4aM9FrIXo1o +tUx4027AUliM0plkx8TWAehovAjIFWZ6ZJBX7f9lwL4dRFNKMfLfN4Q1idTTLcol +to5k4Js3yWIuRMmlZKEb +-----END CERTIFICATE----- + diff --git a/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-24.crt b/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-24.crt new file mode 100644 index 00000000000..18aed56c4a5 --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-24.crt @@ -0,0 +1,24 @@ +subject=CN=PPA canonical-kernel-team ppa +issuer=CN=PPA canonical-kernel-team ppa +-----BEGIN CERTIFICATE----- +MIIDXjCCAkagAwIBAgIJAOUmq1qLuzz/MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV +BAMTHVBQQSBjYW5vbmljYWwta2VybmVsLXRlYW0gcHBhMB4XDTEyMTAxOTE1NTA0 +OVoXDTIyMTAxNzE1NTA0OVowKDEmMCQGA1UEAxMdUFBBIGNhbm9uaWNhbC1rZXJu +ZWwtdGVhbSBwcGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKrpj4 +Fdqggxw6fl3fwhOo5YAaXEaB0gq2NSsrMQLVe3Q3SzZPPrPAKCwPvG6dZYxbNeGS +e3Jdwnqovsrn2V50T+01AuDh6WB6bTVNXtAvjDJyCN030+g9Nn5yUGNUPg7jDTvM +eliYVVV4gBNjOwjBTkeKa5kEmXV0zBuX0lB6F8sq8iM7jK8N642dOqd3ImA/uuNA +tNClV2MzpN1i1Z1L88JWDLwpJ/lXugSkGu/Zl4WlX5BoxdA0Czesy0K8Pbug+AHS +RlF59LtUmbL5PCbzO6M1WymXzSM3nEJtc8KA/fMieNR1yZIIS+wuTVsbhbx4Bumh +CfDuDFK/yASm91AHAgMBAAGjgYowgYcwHQYDVR0OBBYEFFXASWHxBDpz4VDQW87q +IHMg2IX+MFgGA1UdIwRRME+AFFXASWHxBDpz4VDQW87qIHMg2IX+oSykKjAoMSYw +JAYDVQQDEx1QUEEgY2Fub25pY2FsLWtlcm5lbC10ZWFtIHBwYYIJAOUmq1qLuzz/ +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGYoHI7FNoGejbeQyZOj +ciDQvPVoXnYxWWQRp3uz9r0IbO0G0rF4nLreNkzwwRXtRaYJboY1XinL/KMclbyP +wnm5uZTuJ5KobLOsOyeM5EK5Fz5wARkuQ4kvkocgFFdUvdDi0xS5ZLsi1PbAGinc +q5ByfnPCLSd8Wfs+KBmhrg6Od45uhJ5UUbvDwOOGkDPjpqXcuod9y3n/DXLagTOE +rGCQwLlmRKdsuRgxC+WBDqzCrOw/93QAL2jILd2tHHHq/mOlVdFWWnybIy0n+KEP +Ck2ZiEtB/ReoZUxUIXnmNtojishNKfKiMISNezI8SRKgwSvzNQaRCzdkJJo5RV/S +s9s= +-----END CERTIFICATE----- + diff --git a/tests/lib/snaps/store/test-snapd-ovmf/snapcraft.yaml b/tests/lib/snaps/store/test-snapd-ovmf/snapcraft.yaml new file mode 100644 index 00000000000..3b7db1671ab --- /dev/null +++ b/tests/lib/snaps/store/test-snapd-ovmf/snapcraft.yaml @@ -0,0 +1,197 @@ +name: test-snapd-ovmf +base: core24 +confinement: strict +version: edk2-stable202411 +summary: OVMF build of EDK2 with test keys +description: | + Build of OVMF firmware with enrolled test keys for use in snapd CI. + This snap contains: + - fw/ + - OVMF_CODE.fd: Firmware + - OVMF_VARS.fd: Non volatile memory for setup mode (secure boot is disabled but can be enabled). + - OVMF_VARS.enrolled.fd. Non volatile memory with test keys enrolled. + - secboot/ + - PK.{key,crt}: platform key + - KEK.{key,crt}: key exchange key + - DB.{key,crt}: main key + The keys that are enrolled are: + - The PK, KEK and DB from secboot/ + - The deprecated snakeoil key used to sign development builds + - The kernel keys for edge channels + - The Microsoft MicCorKEK and MicCorUEFCA keys + - An initial dbx which contains just a throw-away key + +parts: + ovmf: + build-packages: + - uuid-dev + - nasm + - acpica-tools + plugin: nil + source: https://github.com/tianocore/edk2.git + source-tag: edk2-stable202411 + override-build: | + set +eu + . ./edksetup.sh + set -eu + + make -C BaseTools/Source/C -j"${CRAFT_PARALLEL_BUILD_COUNT}" + + build_args=( + --buildtarget=RELEASE + --tagname=GCC5 + -D TPM1_ENABLE + -D TPM2_ENABLE + -D TPM2_CONFIG_ENABLE + -D SECURE_BOOT_ENABLE + ) + case "${CRAFT_ARCH_BUILD_FOR}" in + amd64) + build_args+=( + --platform='OvmfPkg/OvmfPkgIa32X64.dsc' + --arch=IA32 + --arch=X64 + -D SMM_REQUIRE + ) + ARCH=X64 + OVMF=OVMF + PLATFORM_DIR=Ovmf3264 + CODE=CODE + ;; + arm64) + build_args+=( + --platform=ArmVirtPkg/ArmVirtQemu.dsc + --arch=AARCH64 + ) + ARCH=AARCH64 + OVMF=QEMU + PLATFORM_DIR=ArmVirtQemu-AARCH64 + CODE=EFI + ;; + esac + build -n "${CRAFT_PARALLEL_BUILD_COUNT}" \ + "${build_args[@]}" + + case "${CRAFT_ARCH_BUILD_FOR}" in + arm64) + truncate --size=64M \ + "Build/${PLATFORM_DIR}/RELEASE_GCC5/FV/${OVMF}_${CODE}.fd" \ + "Build/${PLATFORM_DIR}/RELEASE_GCC5/FV/${OVMF}_VARS.fd" + ;; + esac + + install -Dm644 -t "${CRAFT_PART_INSTALL}/fw" \ + "Build/${PLATFORM_DIR}/RELEASE_GCC5/FV/${OVMF}_${CODE}.fd" \ + "Build/${PLATFORM_DIR}/RELEASE_GCC5/FV/${OVMF}_VARS.fd" \ + "Build/${PLATFORM_DIR}/RELEASE_GCC5/${ARCH}/Shell.efi" + + import-snakeoil: + # We also enroll the snakeoil key for transition. But we should + # need to do that. We can sign our kernels with DB.key instead. + plugin: dump + source: snakeoil + organize: + PkKek-1-snakeoil.pem: snakeoil/PkKek-1-snakeoil.pem + kernel-edge-20-22.crt: snakeoil/kernel-edge-20-22.crt + kernel-edge-24.crt: snakeoil/kernel-edge-24.crt + prime: + - -* + + efitools: + build-packages: + - gnu-efi + - libssl-dev + - sbsigntool + - help2man + - libfile-slurp-perl + after: + - import-snakeoil + plugin: nil + source: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git + source-tag: v1.9.2 + override-pull: | + craftctl default + patch -p1 <"${CRAFT_PROJECT_DIR}/efitools-updatevars-temporary-constants.patch" + patch -p1 <"${CRAFT_PROJECT_DIR}/efitools-ms-kek.patch" + override-build: | + cp "${CRAFT_STAGE}/snakeoil/PkKek-1-snakeoil.pem" snakeoil.crt + cp "${CRAFT_STAGE}/snakeoil/kernel-edge-20-22.crt" kernel-edge-20-22.crt + cp "${CRAFT_STAGE}/snakeoil/kernel-edge-24.crt" kernel-edge-24.crt + # Make sure we have Snake Oil as origanization name to trigger work-arounds in secboot + openssl req -new -x509 -newkey rsa:2048 -subj "/CN=DB/O=Snake Oil/" -keyout DB.key -out DB.crt -days 3650 -nodes -sha256 + make -j1 EXTRAKEYS="revoked snakeoil kernel-edge-20-22 kernel-edge-24" MYGUID="7bea37ed-f339-470a-aefe-c6b1bef55040" all revoked-hash-blacklist.esl + ./sign-efi-sig-list -c KEK.crt -k KEK.key dbx revoked-hash-blacklist.esl initial-dbx.auth + install -Dm644 -t "${CRAFT_PART_INSTALL}/secboot" \ + LockDown-signed.efi UpdateVars-signed.efi \ + {PK,KEK,DB}.{key,crt} \ + snakeoil-update.auth \ + kernel-edge-20-22-update.auth \ + kernel-edge-24-update.auth \ + ms-kek-pkupdate.auth \ + ms-uefi-update.auth \ + initial-dbx.auth + prime: + - -secboot/LockDown-signed.efi + - -secboot/UpdateVars-signed.efi + - -secboot/*-update.auth + - -secboot/initial-dbx.auth + + lockdown-image: + build-packages: + - dosfstools + - mtools + after: + - ovmf + - efitools + plugin: nil + source: lockdown-image + override-build: | + mkdir -p ./root/efi/EFI/BOOT + sbsign "${CRAFT_STAGE}/fw/Shell.efi" --key "${CRAFT_STAGE}/secboot/DB.key" --cert "${CRAFT_STAGE}/secboot/DB.crt" --output ./root/efi/EFI/BOOT/BOOTX64.EFI + cp "${CRAFT_STAGE}/secboot/LockDown-signed.efi" ./root/efi/LockDown.efi + cp "${CRAFT_STAGE}/secboot/UpdateVars-signed.efi" ./root/efi/UpdateVars.efi + cp "${CRAFT_STAGE}/secboot"/*-*update.auth ./root/efi/ + cp "${CRAFT_STAGE}/secboot/initial-dbx.auth" ./root/efi/ + + rm -f lockdown.img + truncate --size 100M lockdown.img + systemd-repart --empty=require --dry-run=no --offline=true --definitions=./repart.d --root=./root lockdown.img + + install -Dm644 -t "${CRAFT_PART_INSTALL}" lockdown.img + prime: + - -lockdown.img + + ovmf-secboot: + build-packages: + - ipxe-qemu + - to amd64: + - qemu-system-x86 + - to arm64: + - qemu-system-arm + after: + - lockdown-image + plugin: nil + source: lockdown-image + override-build: | + case "${CRAFT_ARCH_BUILD_FOR}" in + amd64) + OVMF=OVMF + MACHINE=q35 + CODE=CODE + qemu=qemu-system-x86_64 + ;; + arm64) + OVMF=QEMU + MACHINE=virt + CODE=EFI + qemu=qemu-system-aarch64 + ;; + esac + cp "${CRAFT_STAGE}/fw/${OVMF}_VARS.fd" . + + "${qemu}" -nographic -m 4G -smp 2 -M "${MACHINE}" -cpu max \ + -drive "if=pflash,unit=0,file=${CRAFT_STAGE}/fw/${OVMF}_${CODE}.fd,readonly=on,format=raw" \ + -drive "if=pflash,unit=1,file=${OVMF}_VARS.fd,format=raw" \ + -drive "if=virtio,file=${CRAFT_STAGE}/lockdown.img,format=raw"